CPQ Cloud: Advanced Administration - READ-ONLY

MOSC Banner

Is there a reason the JavaScript onChange event is prohibited by ModSecurity?

edited Aug 5, 2014 7:01PM in CPQ Cloud: Advanced Administration - READ-ONLY 2 commentsAnswered ✓

Our test environment recently got an Apache upgrade that apparently added some ModSecurity rules, one of which flags previously functioning JavaScript as an XSS attack:

[05/May/2014:15:37:29 --0500] [xxx.bigmachines.com/sid#xxx][rid#xxx][/commerce/buyside/document.jsp][1] Access denied with code 403 (phase 2). Pattern match "\\bonchange\\b\\W*?\\=" at ARGS:sfActiveServices. [file "/usr/local/apache2/conf/setup/modsecurity/modsecurity_crs_41_xss_attacks.conf"] [line "137"] [id "958406"] [rev "2"] [msg "Cross-site Scripting (XSS) Attack"] [data "Matched Data: onchange= found within ARGS:sfActiveServices: <select style=\x22overflow-x:scroll; size=10; overflow:-moz-scrollbars-horizontal;\x22 name=\x22usid\x22 style=\x22background-color:white;\x22 onchange=\x22getselectedvalue()\x22><option value=\x22\x22 selected=\x22selected\x22>select a service</option><option value=\x2240225553\x22>40742660 collocation - special request service id: (16-1 & 16-14) iad</option><option value=\x2240225564\x22>40742672 data center space charges - p service id: coloc..."] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"]

Tagged:

Howdy, Stranger!

Log In

To view full details, sign in to My Oracle Support Community.

Register

Don't have a My Oracle Support Community account? Click here to get started.

Category Leaderboard

Top contributors this month

New to My Oracle Support Community? Visit our Welcome Center

MOSC Help Center